PATIENT HIPAA MANUAL PATIENT PRIVACY The Privacy Rule was created in order to build a uniform standard for health care providers in establishing regulations for releasing a patient’s “personal health information” or PHI. The Privacy Rule centers on when healthcare providers can release PHI without patient consent, and when patient authorization is required. It also details how much patient information should be disclosed and under what circumstances. Before we go into the actual Privacy laws it is important that you understand a central term in the Privacy Regulations. This term is “TPO”, which stands for treatment, payment, or healthcare operations. Whether or not a disclosure of a patient’s PHI is for purposes of treatment, payment, or healthcare operations will determine if patient authorization is needed. If a disclosure of patient PHI is made to a third-party for purposes of treatment, payment, or healthcare operations, no patient authorization is required. Examples of this type of disclosure would be those made to your billing service or those made to a specialist who is treating your patient. If the disclosure is for some other “non-routine” purpose, then patient authorization is required. An example of this type of disclosure might be for marketing or research purposes. Our practice has developed our “Patient Privacy Policy” which details under what circumstances we will routinely release patient information without a patient’s prior consent (i.e. T.P.O.), and under what circumstances we will be required to obtain a patient’s authorization. Please review the copy of our practice’s Privacy Policy located in the “Forms & Documents” section of this manual and become familiar with it. A copy of our Patient Privacy Policy must be provided to each of our patients during their next visit, and should also be posted in our lobby. ACKNOWLEDGEMENT OF RECEIPT OF OUR NOTICE OF PRIVACY PRACTICES We are required to make a good faith effort to obtain an individual's written acknowledgement of receipt of our notice of privacy practices. The purpose of this acknowledgement process is to alert patients to the importance of our privacy notice and provide them the opportunity to discuss privacy issues with us. This acknowledgement should be obtained at the time of the first service delivery, which would generally be when the patient arrives in your office for an appointment. While the rule requires the acknowledgement to be in writing, it does not prescribe the other details such as the form that the acknowledgement must take or the process for obtaining the acknowledgement. For example, all of the following methods specifically satisfy the definition of written acknowledgement: A signature on either a separate page or on a signature list, A patient placing his or her initials on a cover sheet of the notice to be retained by the provider, An electronic acknowledgement where the patient transmits the receipt of acknowledgement, which may not necessarily his or her signature (this is an important point and as such a quotation from the final rule is included: "Generally, the privacy rule allows for electronic documents to qualify as written documents for purposes of meeting the rules requirements. This also applies with respect to the notice acknowledgement. For notice delivered electronically, the department intends a return receipt or other transmission from the individual to suffice as the notice acknowledgement. For notice delivered on paper in a face-to-face encounter with the provider, although it is unclear to the Department how exactly the provider may do so, the rule does not preclude providers from obtaining the individual's written acknowledgments electronically. The Department cautions, however, that the notice acknowledgement process is intended to alert individuals to the importance of the notice and provide them the opportunity to discuss privacy issues with their providers. To ensure that individuals are aware of the importance of the notice, the rule requires that the individual's acknowledgement the in writing. Thus the department would not consider a receptionists notation in a computer system to be an individual's written acknowledgment.") If an individual refuses to sign or otherwise fails to provide an acknowledgment, we are required to document our good-faith efforts to obtain the acknowledgement and the reason why the acknowledgement was not obtained. Failure to obtain an individual's acknowledgement, assuming we otherwise documented our good faith effort, is not a violation of the rule. For example, there is no rule violation if an individual refuses to sign the acknowledgement after they were requested to do so or if an individual is mailed the notice of privacy policy and chooses not to mail back his or her receipt of acknowledgement. By law of our office must retain acknowledgement receipts for six years from the date received. The rule does not dictate the form in which the acknowledgments are to be saved. Although not required, other covered entities (including us), may if they choose, require patients to provide written consent for the use and disclosure of protected health information. However we are not required to determine the restrictions on another covered entity’s consent form before disclosing information to that entity for TPO purposes. AUTHORIZATIONS An authorization is a more customized document that gives covered entities permission to use specified PHI for specified purposes, which are generally other than TPO, or to disclose PHI to a third party specified by the individual. Please see copy of our Patient Authorization Form to release PHI in the “Documents & Forms” section of this manual. It covers only the uses and disclosures and only the PHI stipulated in the authorization; it has an expiration date; and, in some cases, it also states the purpose for which the information may be used or disclosed. All covered entities, not just direct treatment providers, must obtain an authorization to use or disclose PHI for these purposes. For example, a covered entity would need an authorization from individuals to sell a patient mailing list, to disclose information to an employer for employment decisions, or to disclose information for eligibility for life insurance. A provider may have to obtain separate authorizations from the same patient for different uses or disclosures. The privacy rule requires us to obtain authorization to use or disclose PHI maintained in psychotherapy notes for treatment by persons other than the originator of the notes or for payment or for health care operations purposes, except as specified in the privacy rule. An authorization is also required if another entity requests disclosure of PHI for TPO purposes. For example, a health plan seeking payment for a particular service from a second health plan, such as in coordination of benefits or secondary payer situations, may need PHI from a physician who rendered the health-care services. In this case the provider typically has been paid, and the transaction is between the plans. Since our disclosure is for the TPO purposes of the plan, our authority to disclose PHI for TPO would not allow disclosure. Rather, the plan would have to obtain the patient's authorization when requesting such a disclosure. ACCOUNTING FOR DISCLOSURES When our office makes “non - routine” disclosures of PHI for purposes other then TPO, we need to document those disclosures and patients have the right to obtain an accounting of them. Our documentation of such disclosures should include the following elements: D – Date of Disclosure W - Who the recipient is W – What was disclosed P – Purpose of the disclosure PATIENTS ACCESS TO THEIR RECORDS Under HIPAA, patients have the right to access their own medical records. We need to respond to their request within 30 days. Please see our “Patient Request to View / Amend Record” form in the “Forms & Documents” section of this manual. There are three options for granting patient’s access to their medical record: 1. Allow patient to view original copy with a representative from the practice (patients should never be left alone with the original record). 2. Provide a summary of the record, if the patient agrees to it. 3. Provide a copy of the medical record, and a reasonable fee can be charged. Patients also have the right to request changes or amendments to their medical record. Physicians do not have to agree to these requests to amend the record, especially if it would make the record inaccurate. MINIMUM NECESSARY PROVISION HHS has declared that health care workers must take reasonable steps to limit the use or disclosure of, and requests for Personal health information (PHI) to the minimum necessary to accomplish the intended purpose. However, they are also very clear that restricting PHI to the minimum necessary should never out way quality of patient care. A great deal of discretion is provided to the physician on the amount of information provided to a third-party when patient treatment and quality of care is involved. Whenever we deal with PHI always review and/or disclose the least information necessary to deliver the highest quality care. We must determine our own standards for minimum necessary use and disclosure of patient information. The privacy rule requires us to make reasonable efforts to limit use, disclosure of, and request for protected health information to the minimum necessary to accomplish the intended purpose. We have flexibility in assessing what protected health information is reasonably necessary for a particular purpose, given the characteristics of our business and work force. This is a reasonableness standard that calls for good judgment in adhering to generally acknowledged practice standards, while trying to limit any unnecessary sharing of medical information. Exceptions to the Minimum Necessary Provision: Disclosures to or requests by a health care provider for treatment purposes. Disclosures to the individual who is the subject of the information. Uses or disclosures made pursuant to an authorization requested by the individual. Uses or disclosures required for compliance with the standardized Health Insurance Portability and Accountability Act (HIPAA) transactions.' Disclosures to the Department of Health and Human Services (HHS) when disclosure of information is required under the rule for enforcement purposes. Uses or disclosures that are required by other law (i.e Federal or State Law) The privacy rule does not prohibit the use of sign-in sheets, but it is generally recommended that the reason for the patients visit not be included on the sign-in sheet. Keep in mind that nothing in the Privacy Rule prevents you from discussing its concerns with the person making the request, and negotiating an information exchange that meets the needs of both parties. If you have real concern about a request, contact our Compliance Officer. The most difficult situations are when a nonroutine disclosure is needed. As a general rule, these special situations should be discussed with our HIPAA Compliance Officer. In these cases we want to be especially vigilant that we determine and limit disclosure to only the minimum amount of PHI necessary to accomplish the purpose of the non-routine disclosure. We must evaluate our practice and enhance protections as needed to prevent unnecessary or inappropriate access to PHI. If you have any suggestions as to how we can better limit access to and disclosure of our patient information please bring this information to our HIPAA Compliance Officer. The minimum necessary standard is intended to reflect and be consistent with, not override, professional judgment and standards. Please keep in mind that we want to appropriately limit access to personal health information without sacrificing the quality of health care that we offer. COMMON MINIMUM NECESSARY QUESTIONS MEDICAL RESIDENTS, MEDICAL STUDENTS, NURSING STUDENTS AND OTHER MEDICAL TRAINEES The minimum necessary requirements do not prohibit medical residents, medical students, nursing students, and other medical trainees from accessing patients' medical information in the course of their training. The definition of "health care operations" in the rule provides for "conducting training programs in which students, trainees, or practitioners in areas of health care learn under supervision to practice or improve their skills as health care providers." THIRD PARTIES The minimum necessary concept does not need to be applied to disclosures to third parties that are authorized by an individual, unless the authorization was requested by a covered entity for its own purposes. The Privacy Rule exempts from the minimum necessary requirements most uses or disclosures that are authorized by an individual. This includes authorizations covered entities may receive directly from third parties, such as life, disability, or casualty insurers pursuant to the patient's application for or claim under an insurance policy. DISCLOSURES TO FEDERAL AND STATE AGENCIES We are not required to make a minimum necessary determination to disclose to federal or state agencies, such as the Social Security Administration (SSA) or its affiliated state agencies or for individuals' applications for federal or state benefits. These disclosures must be authorized by an individual and, therefore, are exempt from the minimum necessary requirements. DISCLOSURE OF AN ENTIRE MEDICAL RECORD HHS has said that the Privacy Rule does not prohibit use, disclosure, or requests of an entire medical record. As with all of our policies the balance is to keep the patients health care utmost in your mind while at the same time divulging the minimum information about the patient that is necessary for their best care. HSS has also said that a covered entity may use, disclose, or request an entire medical record without a case-by-case justification. If the covered entity has documented in its policies and procedures that the entire medical record is the amount reasonably necessary for certain identified purposes. STAFF ACCESS & MINIMUM NECESSARY It is important that you are aware of those persons or classes of person in our workforce that need to see the entire medical record and the conditions, if any, that are appropriate for such access. We must, whenever possible, restrict access to all or part of a patient’s medical record if it is not necessary for an employee to complete their job duties. The Rule says that the basic standard for minimum necessary uses requires that covered entities make reasonable efforts to limit access to PHI to those in the workforce that need access based on their roles in the covered entity. In this light, HHS has said that we should take into account our ability to configure our record systems to allow access to only certain fields, and the practicality of organizing systems to allow this capacity. HHS have said that it may not be reasonable for a small, solo practitioner with largely paper-based records system, to limit access to certain employees. Alternatively, a hospital with an electronic patient record system may reasonably implement such controls, and therefore, may choose to limit access in this manner to comply with the rule. This is what is meant by reasonable efforts. MISC. Regarding patient medical charts at bedside, empty prescription vials, X-ray light boards HHS has indicated that specific workplace practices need to remain as they have been developed over the years in order to maintain proper patient care and reasonable workflow. The minimum necessary standards do not prohibit us from maintaining patient medical charts at bedside, nor do they require that we shred empty prescription vials, or require that X-ray light boards be isolated. ORAL COMMUNICATIONS As mentioned earlier in this manual, HHS has stated that the Privacy Rule applies to individually identifiable health information in all forms, electronic, written, oral, and any other. Coverage of oral (spoken) information ensures that information retains protections when discussed or read aloud from a computer screen or a written document. Basic Rules for Oral Communications about Patient Health Records We are required to reasonably safeguard Personal health information (PHI), including oral information, from any intentional or unintentional use or disclosure that is in violation of the Privacy rule. The rules of oral communication basically are the same as those of written communication. You should always use the minimum necessary information for best health care. In particular, with oral communications, we require that our employees be discrete when talking to or about patients. Be aware of who is in the area, who could listen in. Because we discuss health care issues all day, it may be easy to assume a patient is not private about this information. Always assume the patient wants the minimum number of ears to hear the minimum necessary information about their health care. Again, the minimum necessary standard does not apply to disclosures, including oral disclosures, among providers for treatment purposes. "Reasonably safeguard" means that you must make reasonable efforts to prevent uses and disclosures not permitted by the rule. However, HHS does not expect reasonable safeguards to guarantee the privacy of PHI from any and all potential risks. HHS has said that in determining whether a covered entity has provided reasonable safeguards, the Department will take into account all the circumstances, including the potential effects on patient care and the financial and administrative burden of any safeguards. Remember, balance privacy with patient care. It is important that all our employees interacting with patients speak quietly when discussing a patient's condition with family members in a waiting room or other public area, and avoid speaking about patients in public hallways and elevators. Protection of patient confidentiality is an important part of our practice. If the patient or others has difficulty hearing or exhibits other communication problems, take them to a private area when discussing health information. There is nothing more embarrassing to a patient than to be walking out of a crowded waiting room and have the nurse talking about their treatment or medications. It is not only embarrassing, now it is illegal. Talking to other Providers and Patients The Privacy Rule is not intended to prohibit providers from talking to each other and to their patients. The rule only requires covered entities to implement reasonable (there's that word again) safeguards that reflect 'their particular circumstances and exempting treatment disclosures from certain requirements are intended to ensure that providers' primary consideration is the appropriate treatment of their patients. HHS has also said that they also understand that overheard communications are unavoidable. For example, in a busy emergency room, it may be necessary for providers to speak loudly in order to ensure appropriate treatment. The Privacy Rule is not intended to prevent this appropriate behavior. Calling out Patient names Calling out a patient’s name in a waiting room is allowed. Private Rooms and Soundproof Walls The Privacy Rule does not require hospitals and physicians' offices to be retrofitted, to provide private rooms, and soundproof walls to avoid any possibility that a conversation is overheard. As you work around the office, you should make yourself aware of the level of voice that is needed to maintain privacy in different areas of the office. Once again reasonable safeguards are appropriate. The rule does not require that all risk be eliminated to satisfy this standard. Patient access to oral information HHS has said that covered entities do not need to provide patients access to oral information. The Privacy Rule requires covered entities to provide individuals with access to PHI about themselves that is contained in their "designated record sets." The term "record" in the term "designated record set" does not include oral information; rather, it connotes information that has been recorded in some manner. We do not have to document ALL oral communications If the oral communications you are giving are relevant to any disclosures signed by the patient or if they have anything to do with following The Privacy Rule, or if they can be used in patient care, we recommend that you document this in the patient's records. Once again we strive to provide the best patient care without wasting time documenting events or actions that will not help the patient. BUSINESS ASSOCIATES HHS' definition of a Business Associate A business associate is a person or entity who provides certain functions, activities, or services for or to a covered entity, involving the use and/or disclosure of PHI. A business associate is not a member of the health care provider, health plan, or other covered . entity's workforce. A health care provider, health plan, or other covered entity can also be a business associate to another covered entity. The rule includes exceptions. The business associate requirements do not apply to covered entities who disclose PHI to providers for treatment purposes - for example, information exchanges between a hospital and physicians with admitting privileges at the hospital. In allowing providers and plans to give Personal health information (PHI) to "business associates," the Privacy Rule conditions such disclosures on the provider or plan obtaining, typically by contract, satisfactory assurances that the business associate will: 1. Use the information only for the purposes for which they were engaged by the covered entity. 2. Safeguard the information from misuse. 3. Help the covered entity comply with the covered entity's duties to provide individuals with access to health information about them and a history of certain disclosures (e.g., if the business associate maintains the only copy of information, it must promise to cooperate with the covered entity to provide individuals access to information upon request). HHS has stressed that PHI may be disclosed to a business associate only to help the providers and plans carry out their health care functions - not for independent use by the business associate. If you have any questions about whether a particular business associate of ours is properly contracted under the HIPAA rules, please contact the Compliance Officer. We have a "Business Associates PHI Privacy Agreement" that should be used in situations where required. Business Associates have more narrow provisions of Rule Our contract with business associates covers a set of contractual obligations far narrower than the provisions of the rule, to protect information generally and help us comply with our obligations under the rule. The Privacy Rule does not "pass through" its requirements to business associates or otherwise cause business associates to comply with the terms of the rule. For example, HHS has said that we do not need to ask their business associates to agree to appoint privacy officer, or develop policies and procedures for use and disclosure of PHI. Our Liability for business associates violations of the Privacy Rule HHS has said that a health care provider, health plan, or other covered entity is not liable for privacy violations of a business associate. We are not required to actively monitor or oversee the means by which the business associate carries out safeguards or the extent to which the business associate abides by the requirements of the contract. Because businesses by law are specifically covered by the Rule, business associate's violation of the terms of the contract does not, in and of itself, constitute a violation of the rule by our practice. Under our contract, business associates must advise us when violations have occurred. If we become aware of a pattern or practice of a business associate that constitutes a material breach or violation of that business associate's obligations under our contract, we are required by HHS to take "reasonable steps" to cure the breach or to end the violation. PARENTS & MINORS The Privacy Rule provides individuals with certain rights with respect to their personal health information, including the right to obtain access to and to request amendment of health information about themselves. These rights rest with that individual, or with the "personal representative" of that individual. In general, a person's right to control Personal health information (PHI) is based on that person's right (under state or other applicable law, e.g., tribal or military law) to control the health care itself. The concepts below will give you excellent guidance regarding confidential relationships and parents or guardians. If you find yourself in a situation where you are not sure as to the PHI you should divulge to a parent, guardian or child, please check with our Compliance Officer. Because a parent usually has authority to make health care decisions about his or her minor child, a parent is generally a "personal representative" of his or her minor child under the Privacy Rule and has the right to obtain access to health information about his or her minor child. This would also be true in the case of a guardian or other person acting in loco parentis of a minor. There are exceptions in which a parent might not be the "personal representative" with respect to certain health information about a minor child. In the following situations, the Privacy Rule defers to determinations under other law that the parent does not control the minor's health care decisions and, thus, does not control the PHI related to that care. When state or other law does not require consent of a parent or other person before a minor can obtain a particular health care service, and the minor consents to the health care service, the parent is not the minor's personal representative under the Privacy Rule. For example, when a state law provides an adolescent the right to consent to mental health treatment without the consent of his or her parent, and the adolescent obtains such treatment without the consent of the parent, the parent is not the personal representative under the Privacy Rule for that treatment. The minor may choose to involve a parent in these health care decisions without giving up his or her right to control the related health information. Of course, the minor may always have the parent continue to be his or her personal representative even in these situations. When a court determines or other law authorizes someone other than the parent to make treatment decisions for a minor, the parent is not the personal representative of the minor for the relevant services. For example, courts may grant authority to make health care decisions for the minor to an adult other than the parent, to the minor, or' the court may make the decision(s) itself. In order to not undermine these court decisions, the parent is not the personal representative under the Privacy Rule in these circumstances. In the following situations, the Privacy Rule reflects current professional practice in determining that the parent is not the minor's personal representative with respect to the relevant PHI: When a parent agrees to a confidential relationship between the minor and the physician, the parent does not have access to the health information related to that conversation or relationship. For example, if a physician asks the parent of a 16-year old if the physician can talk with the child confidentially about a medical condition and the parent agrees, the parent would not control the PHI that was discussed during that confidential conference. When a physician (or other covered entity) reasonably believes in his or her professional judgment that the child has been or may be subjected to abuse or neglect, or that treating the parent as the child's personal representative could endanger the child, the physician may choose not to treat the parent as the personal representative of the child. State Laws In addition to the provisions (described above) tying the right to control information to the right to control treatment, the Privacy Rule also states that it does not preempt state laws that specifically address disclosure of health information about a minor to a parent (§ 160.202). This is true whether the state law authorizes or prohibits such disclosure. Parental Consent The Privacy Rule addresses access to health information, not the underlying treatment. The Rule does not address consent to treatment, nor does it preempt or change state or other laws that address consent to treatment. Emergency medical care without a parent's consent Even though a parent does not provide consent to treatment in an emergency medical situation, under the Privacy Rule, the parent would still be the child's personal representative. This would not be so only when the minor provided consent (and no other consent is required) or the treating physician suspects abuse or neglect or reasonably believes that releasing the information to the parent will endanger the child. PATIENT BILLING & PAYMENTS In order to understand the Privacy Rule as it pertains to patient payments, we first must give the HHS definition of payment. "Payment" is a defined term that encompasses the various activities of health care providers to obtain payment or be reimbursed for their services and for a health plan to obtain premiums, to fulfill their coverage responsibilities and provide benefits under the plan, and to obtain or provide reimbursement for the provision of health care. In addition to the general definition, the Privacy Rule provides examples of common payment activities which include, but are not limited to: Determining eligibility or coverage under a plan and adjudicating claims; Risk adjustments; Billing and collection activities; Reviewing health care services for medical necessity, coverage, justification of charges, and the like; Utilization review activities; and Disclosures to consumer reporting agencies (limited to specified identifying information about the individual, his or her payment history, and identifying information about the covered entity). HHS has said that as provided for by the Privacy Rule, our practice may use and disclose Personal health information (PHI) for payment purposes. Consumer Credit Reporting Agencies The Privacy Rule's definition of "payment" includes disclosures to consumer reporting agencies. These disclosures, however, are limited to the following PHI about the individual: name and address; date of birth; social security number; payment history; and account number. Debt Collection Agencies The Privacy Rule permits our practice to use the services of debt collection agencies. Debt collection is recognized as a payment activity within the "payment" definition. Disclosures to collection agencies under a business associate agreement are governed by other provisions of the rule, and the minimum necessary requirements. Location information services of collection agencies and the Fair Debt Collection Practices Act * As described above, "Payment" is broadly defined as activities by health plans or health care providers to obtain premiums or obtain or provide reimbursements for the provision of health care. The activities specified are by way of example and are not intended to be an exclusive listing. Billing, claims management, collection activities, and related data processing are expressly included in the definition of "payment”. HHS has stated that obtaining information about the location of the individual is a routine activity to facilitate the collection of amounts owed and the management of accounts receivable. Therefore, would constitute a payment activity. We would still have to comply with any limitations placed on location information services by the Fair Debt Collection Practices Act.